b'              U.S. Department of Energy\n              Office of Inspector General\n              Office of Audit Services\n\n\n\n\n  Audit Report\n\nThe Department\'s Audit Resolution\nand Follow-up Process\n\n\n\n\nDOE/IG-0766                                 May 2007\n\x0c                             Department sf Energy\n                                 WasliingTon,         DC 20585\n\n                                 May 2 4 ,           2007\n\n\n\n\nFROM:                     +*\nMEMORANDUM FOR THMECRE5-TARY\n\n                         Greg ry . Friedman\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Audit Report on "The Department\'s Audit\n                         Resolution and Follow-up Process"\n\nBACKGROUND\n--\n\n\n\nOver the years, the Office of Inspector General has issued findings and recoinmendations\naddressing numerous aspects of the Department of Energy\'s programs, operations and\nmanagement hnctions. In many cases, the Department has concurred with the findings\nand reported that corrective actions to resolve problems or improve the efficiency of its\noperations have been implemented. Clearly, ensuring that identified internal control\nweaknesses are addressed and corrected is essential to improving the effectiveness and\nefficiency of Departmental operations.\n\nThe Office of Inspector General is tasked with periodically evaluating the Department\'s\naudit follow-up systems and assessing whether the systems result in effective, prompt,\n:rnd proper resolution of audit recommendations. As such, in February 2003, we\nreviewed The Department\'s Audit Resolution Process (DOE/IG-0639) and found that:\n(1) target dates for completion of corrective actions had not been established in all cases;\n(2) where target dates had been established, corrective actions taken had exceeded\nmilestones; and, (3) recommendations had been closed even though corrective actions\nhad not been taken. Shortly thereafter, as a result of the 2003 audit, the Department\nstrengthened its audit resolution requirements, including requiring the establishment of\ntarget dates, timely closure of audit recommendations, and the implementation of\ncorrective actions. We initiated the current audit to evaluate the Department\'s progress in\ncorrecting prior audit follow-up issues and to determine whether issues identified through\nrecent Office of Inspector General audits had been resolved.\n\nRESULTS OF AUDIT\n\nWe found that the Department had made significant improvemeilts to many aspects of its\nfollow-up system. In particular, it had ensured that target closure dates were established\nfor all agreed-upon recommendations and that, in most cases, audit recommendations\nwere closed in a timely manner. However, we found that, in some cases, agreed-upon\nrecommendations had been closed, but corrective actions had either not been completed\nor were ineffective.\n\n\n\n\n                               @     I\'rnnlcd wilh soy inl: on rcryrled paper\n\x0cOur review of "closed" recommendations contained in six selected reports found\nsignificant continuing management issues relating to:\n\n           Ensuring that employee badges were returned and security clearances were\n           terminated as required;\n\n           Tracking visits and assignments by foreign nationals;\n\n           Consolidating duplicative nuclear material tracking systems; and,\n\n           Resolving information technology security weaknesses.\n\nEffective corrective actions had not been taken, at least in part, because the Department\'s\nProgram Offices and the National Nuclear Security Administration had not given\nsufficient management attention to the audit resolution and follow-up process. In some\ncases, corrective action plans developed at Headquarters and/or the National Nuclear\nSecurity Administration had not been communicated to sites or subordinate organizations\nfor implementation. In other cases, the Department had not verified that all planned\nactions had been implemented or that officials had fully addressed and corrected the root\ncauses of previously issued. Inspector General findings. In addition, although specifically\nrequired, Departmental elements that had not been parties to the initial reviews had not\nbeen examining OIG reports to determine whether the same or similar problems existed\nwithin their own organizations.\n\nAs is more fully described in the report itself, progress was noted in several areas.\nFurther, in a separate review on the Status of Prior E.xport Control Recomnzerzdatioizs ai\nthe Department of Energy (INS-0-07-01), we found that recommendations specific to this\nprogram had been appropriately closed. IVonetheless, additional actions are needed.\n\nConsistent with the statutory mission of the Office of Inspector General, the audit process\nprovides an important mechanism for assisting management in improving the\nperformance of the Department and its programs. The audit follow-up and resolution\nprocess is critical to achieving this goal. Consequently, based on the findings in this\nreport, we have provided several recommendations designed to make this process as\neffective and useful as possible.\n\nMANAGEMENT COMMENTS\n\nThe Department and the National Nuclear Security Administration provided joint\ncomments on the draft report and concurred with the recommendations. In particular,\nmanagement agreed to issue guidance reemphasizing the requirements of the audit\nresolution and follow-up program and perform periodic follow-up activities to help\nensure effective implementation of the guidance. The National Nuclear Security\nAdministration added that it would formalize its certification methodologies for use by\nthe site managers, the Service Center Director, and senior program officials in its\norganization. Management\'s comments have been incorporated into the report and\nincluded verbatim as Appendix 4.\n\x0cAitaclment\n\ncc:   Deputy Secretary\n      Acting Under Secretary of Energy\n      Under Secretary for Science\n      Principle Deputy Administrator, National Nuclcar Security Administration\n      Chief Financial Officer\n      Chief Information Officer\n      Chief of Staff\n\x0cREPORT ON THE DEPARTMENT\'S AUDIT RESOLUTION AND\nFOLLOW-UP PROCESS\n\n\nTABLE OF\nCONTENTS\n\n     Audit Resolution and Follow-up Process\n\n     Details of Finding .............................................................................................. 1\n\n     Recommendations and Comments ............................................................... I I\n\n\n     Appendices\n\n     1. Objective, Scope, and Methodology ........................................................... 14\n\n     2. Audit Reports Reviewed. ............................................................................ 16\n     ?\n     2.\n          -rrior Reporis ............................................................................................... 1\n                                                                                                                         0\n                                                                                                                         o\n\n\n     4. Management Comments ............................................................................ -20\n\x0cAudit Resolution   Since our 2004 report was issued, the Department of\nActivities         Energy (Department) has made significant ilnproveinents in\n                   establishing target dates designed to guide the co~npletion\n                   of corrective actions and in ensuring timely closure of audit\n                   recommendations. Our current review of all audit reports\n                   issued during the first half of 2005 disclosed that:\n\n                          Target dates for completion of corrective actions\n                          had been established in the Departmental Audit\n                          Report Tracking System (DARTS) for all\n                          recommendations we reviewed; and,\n\n                          Only 17 percent of the planned corrective actions\n                          exceeded closure milestones.\n\n                   Tbis is in c\'ontrast to thr results identified In 3vr 3004\n                   report where target dates for completion of corrective\n                   actions had been established for only 56 percent of the\n                   recommendations and 57 percent of the corrective actions\n                   taken exceeded closure milestones.\n\n                   However, similar to our 2004 report, our analysis found\n                   that the Department continued to close certain\n                   recommendations even though corrective actions had not\n                   been taken. Specifically, for each of the six reports with\n                   "-lp~ndlt\n                    r.V.,i-  -o,-prnp,n-rl-t;--c 2. -Trh;rh\n                            I rVVIILIIILAIUrlLIULLd  *,      rrr,\n                                                             v v   -\n                                                               L r f c m z ?iz-\n                                                                       -n\n\n\n\n                   depth reviews, we found that at least one previously\n                   identified issue had not been resolved. F& example, we\n                   found continuing issues with employee badging and\n                   clearances, foreign national visitor access controls, project\n                   management, nuclear material tracking systems, and\n                   information technology security.\n\n                                       Badging and Security Clearances\n\n                   Our audit of Persorznel Security Cleara~zcesand Badge\n                   Access Controls at Selected Field Locations (DOEIIG-\n                   0582, January 2003) identified significant error rates in the\n                   Departnlent\'s official clearance information database\n                   (Central Personnel Clearance Index, or CPCI) for Savannah\n                   River Site (Savannah River) and Sandia National\n                   Laboratories (Sandia). We also identified that a\n                   statistically significant number of badges had not been\n                   recovered from former contractor and other non-federal\n                   workers at the Oak Ridge Reservation (Oak Ridge).\n                   Management generally concurred with the\n                   recommendations in this report, agreed\n\nPage 1                                                             ~ e t a i l sof Finding\n\x0c         to take corrective actions, and certified the effectiveness of\n         those corrective actions in accordance with Department\n         requirements.\n\n         However, our recent analysis of CPCI indicates that these\n         issues persist at three of the Department sites included in\n         our January 2003 review. For example, 171 employees at\n         the Y- 12 National Security Complex (Y - 12) were\n         designated as "active" in the Department\'s CPCI system,\n         but had been identified as "separated fiom duty" in the\n         corresponding Y- 12 Human Resource system as of May\n         2006. After allowing for potential timing differences and\n         items that may have been discovered during quarterly\n         reconciliations, we identified 142 employees who were no\n         longer associated with the Department but still maintained\n         an active security clearance. All except two of these 142\n         individuals had "Q" clearances.\n\n         Security clearances at East Tennessee Technology Park\n         (ETTP) were also not always terminated fiom the CPCI\n         system in a timely manner. Our analysis showed that, as of\n         May 2006,34 employees (18 with "Q" clearances) who had\n         reportedly worked at ETTP and should have had their\n         security clearances terminated or transferred were still\n         listed as active in the CPCI system. Of these employees,\n         20 individuals had active security clearances in the CPCI\n         system for over six months after their termination fiom\n         ETTP.\n\n         ETTP, in responding to the results of our testing, stated that\n         they had been granted a variance allowing security\n         clearances to be retained for 180 days beyond termination\n         and this situation accounted for some of the termination\n         discrepancies we identified. We noted, however, that the\n         variance expired in January 2005, prior to the date many of\n         these employees left ETTP. For seven of the cases, ETTP\n         indicated that en~ployeeshad been transferred to\n         subcontractors or other Department locations, however, we\n         found that the clearance sponsor code in CPCI had not been\n         changed as required. Finally, ETTP stated that nine of the\n         employees we determined to have improperly retained\n         clearances had never worked there - despite being listed in\n         ETTP\'s human resources system and identified in CPCI as\n         holding clearances sponsored by ETTP.\n\n         Despite our findings, ETTP officials told us that their\n         current security clearance administration process and\n\nPage 2                                          ~ e t a i lof\n                                                            s Finding\n\x0c                                    tracking activities were appropriate. They based their\n                                    coi~clusion,in part, on a security survey completed by Oak\n                                    h d g e Operations that rated their program as satisfactory.\n                                    The survey was completed in February 2007, just over four\n                                    years after the completion of our January 2003 review.\n\n                                     Finally, the previously reported issue of not recovering\n                                     badges from former employees has also not been\n                                     conlpletely resolved by the Department\'s contractors. For\n                                     example, two recently issued Office of Inspector General\n                                     (OIG) reports found that a number of terminated employees\n                                     had not returned their security badges to Sandia and Los\n                                     Alamos National Laboratories (Los ~ l a m o s ) as\n                                                                                     \' required.\n                                     Similarly, the Oak Ridge Operations Security Survey noted\n                                     above included a finding that ETTP was not immediately\n                                     regortins lost. stolen. missing. and non-recovered badzes to\n                                     the Department.\n\n                                                     Foreign National Visitor Access\n\n                                     Our audit of The Depa~tlnent\'sUnclass~jiedForeign Visits\n                                     and Assignnzelzts Progranz (DOEIIG-0579, December\n                                     2002) d~tellliiiledtlist ihe Depai-tiiieiit llad ilot adcqilzitelj;\n                                     controlled unclassified visits and assignments by foreign\n                                     nationals at two national laboratories. Specifically, we\n                                     fniind that not all f n r ~ i g nnationals had ciirrent ~ a s s ~ o r t s\n                                     and visas and that sites had not reported sufficient\n                                     information to enable the Department to properly track all\n                                     foreign visitors and assignees in the Foreign Access Central\n                                     Tracking System (FACTS). FACTS is the Department\'s\n                                     official national database of information on unclassified\n                                     foreign visits and assignments. The Department generally\n                                     agreed with our findings, conclusions, and\n                                     recommendations; initiated immediate corrective actions;\n                                     and ultimately certified the effectiveness of those corrective\n                                     actions. However, our current review found evidence that\n                                     these issues persist at at least one of the Department sites.\n\n                                     Our current review of the same Office of Science-managed\n                                     national laboratory analyzed in our prior report identified that\n                                     the local foreign national visits and assignments system still\n                                     did not have sufficient information. For example, a total of\n                                     4,911 of its 7,802 (63 percent) foreign national visits and\n\nI\n    Badge Retrieval and Security Clearance Termiizatioiz at Sandia National Laboratoiy-New Mexico\n    (DOEIIG-0724, April 2006)\n    Security and Other Issues Related to Out-Processing of Ei7zployees at Los Alanzos National Laboratoiy\n    (DOEJIG-0677, February 2005)\n\nPage 3                                                                              Details of Finding\n\x0c         assignments from January 2005 through April 2006 did not\n         have complete or valid information related to passports and\n         visas. In addition, our comparative analysis revealed that\n         FACTS records from that same time period indicated that\n         the national laboratory had 8,340 visits and assignments,\n         while the laboratory\'s local system only listed 7,802.\n\n         Additionally, the Department has identified similar issues\n         during its own site-specific reviews of foreign national\n         access controls. During reviews conducted by the Chicago\n         Operations Office in September 2003 and September 2005,\n         officials found that the same national laboratory was not\n         consistently entering visits and assignments information\n         into FACTS and was not closing out visits and assignments\n         as specified in Departmental directives. While the\n         existence of the Departmental reviews indicates that this\n         area is periodically being evaluated, the consistently\n         negative results also tend to demonstrate that the national\n         laboratory is not effectively correcting the issues we\n         reported in December 2002. Due to the complex nature of\n         this issue and potential national security implications, we\n         have initiated a separate audit of the Department\'s Foreign\n         Visits and Assignments program.\n\n                             Project Management\n\n         In our February 2001 audit of the U.S. Department of\n         Energy\'s Corporate Human Resource Information Systeiiz\n         (DOEIIG-0494), we determined that the Department had\n         not adhered to project planning requirements for system\n         development projects - including updating its cost benefit\n         analyses to reflect project delays, cost increases, and scope\n         changes. While the Department agreed to revise its cost\n         benefit analysis to address the associated recommendation,\n         a follow-up audit, 7 k e Department\'s Development and\n         Implementation of the Corporate Human Resource\n         Information System (OAS-L-06- 14, May 2006), determined\n         that it did not do so. Even though management officials\n         performed analyses on one component of this system and\n         on Fiscal Year (FY) 2006 and out-year costs and benefits,\n         the effort did not provide an overall picture of the project\'s\n         costfbenefit or its return on investment from inception.\n         Without such analyses, management lacked the tools\n         necessary to closely monitor project cost (approximately\n         $37 million through FY 2005), schedule, and performance.\n\n\n\n\nPage 4                                           Details of Finding\n\x0c                     Nuclear Materials Tracking Systems\n\n         Our report on Nz~clearMaterials Accountirlg Sysfelns\n         Modernization Initiative (DOEIIG-0556, June 2002)\n         identified that the Department had not adequately managed\n         its activities to redesign or modenlize its nuclear materials\n         accounting systems. Moreover, planned and on-going\n         system development efforts were not hlly consistent with\n         the Corporate Systems Infom~ationArchitecture. We\n         recommended, among other things, that the Department\n         develop a coordinated approach and select a final\n         alternative for modernizing nuclear materials accounting\n         information systems that was consistent with the\n         Department\'s Corporate Systems Information Archtecture\n         as well as security and program specific operational needs.\n         However, in September 2002, the recomnlendations were\n         closed in DARTS because of the Department\'s decision to\n         track the status of the recommendations as part of the\n         e-Gov Presidential Initiative (Initiative). According to a\n         National Nuclear Security Administration (NNSA) official,\n         tracking the reconlrnendations in DARTS was no longer\n         needed because it would cause duplicative reporting on the\n         status of these recomendztjons.\n\n         In October 2002, an assurance letter was signed by a\n         NNSA official that certified that all necessary actions had\n         been taken for audit follow-up assessment and corrective\n         actions pertaining to t h s report\'s recommendations were\n         complete even though the recommendations were still\n         being addressed and tracked through the Initiative.\n         However, almost three years and over $1.2 million later,\n         the Nuclear Material Accountability (Nh4A) Project was\n         terminated under the Initiative. In spite of management\'s\n         assertion regarding closure, there was no final resolution of\n         our recommendations. In addition, we could not locate or\n         obtain fom~aldocumentation on the NMA Project\'s close\n         out. As a result of the Initiative, management told us that\n         some process improvements have been implemented while\n         some are still on-going. W l e the improvements are a\n         positive step, we do not believe that the Department has\n         fully resolved the problen~soutlined over four years ago.\n\n         NNSA provided technical comments to a draft of this\n         report indicating that the method of resolution for this\n         report was rare, if not unique. NNSA stated that they did\n         work to resolve the concerns raised by the report through\n         the e-Gov initiative, but that management made a decision\n\n\nPage 5                                           Details of Finding\n\x0c         to terminate the initiative prior to resolution. While NNSA\n         agrees that the recommendations made in the original\n         report had not been addressed, they believe that they were\n         not remiss in their duties. However, the issues identified in\n         the report continue to exist.\n\n                      Information Technology Security\n\n         We also observed that findings and recommendations made\n         in our annual reports on The Department\'s Unclasszfied\n         Cyber Security Program are often repeated from site-to-site\n         or program-to-program. For example, our evaluation of the\n         Information Technology Management Letter on the Audit of\n         the Department of Energy\'s Consolidated Financial\n         Statements for Fiscal Year 2005 revealed that 13 of the 25\n         findings identified were the same or similar to findings in\n         the FY 2004 management letter. This includes one finding\n         related to computer security certification and accreditation\n         that has been reported since 2002 at the Argonne National\n         Laboratory and has been issued again as a repeated finding\n         in FY 2006. Finally, a recent OIG report, Certzfication and\n         Accreditation of Unclassz3ed Information Systenzs\n         (DOEIIG-0752, January 2007) also identified that the\n         Department\'s systems were not properly certified and\n         accredited for operation. The report found that many sites\n         had not properly assessed the potential risk to their systems.\n\n                         Portsmouth Conversion Line\n\n         In our March 2004 audit on Depleted Uranium\n         Hexafluoride Conversion (DOEIIG-0642), we concluded\n         that the Department\'s plan for converting depleted uranium\n         hexafluoride inventories could be improved by adding an\n         additional conversion line to the Portsmouth facility. We\n         recommended that the Manager at the site conduct a cost-\n         benefit analysis to determine the optimum size and\n         operation of the Portsmouth depleted uranium hexafluoride\n         conversion facility and based on the results of the review,\n         implement the most cost-effective approach. While the\n         Department performed a cost-benefit analysis in May 2005\n         which showed that adding the fourth line to the Portsmouth\n         facility could save $55 million, it had not implemented the\n         most cost-effective approach to converting depleted\n         uranium hexafluoride to a more stable form. A recent\n         follow-up OIG report, Follow-up of Depleted Uranium\n         Hexajluoride Conversion (DOEIIG-075 1, December 2006)\n         noted that, as of August 2006, the Department had not\n\nPage 6                                           Details of Finding\n\x0c                           added the fourth conversion line even though it had begun\n                           construction of the facility eleven months earlier.\n                           Operational efficiencies and cost savings from an\n                           additional conversion line at the facility were still viable.\n                           Specifically, the Department could still save at least $35\n                           million in life-cycle costs by reducing the operations\n                           schedule by nearly five years if the fourth line is added to\n                           the project.\n\nSufficient Management Previously identified deficiencies were not resolved,\nAttention             at least in part, because the Department\'s program offices\n                      and NNSA did not give sufficient management attention to\n                      the audit resolution and follow-up process. In some cases,\n                      corrective action plans developed at the Headquarters level\n                      were not communicated to applicable sites for\n                      implementation. In other cases, the Department had not\n                      effectively verified that all planned actions had been\n                      implemented or that they had fully correctedaddressed the\n                      root causes of previously issued findings. In addition,\n                      Departmental elements not included in the initial review\n                      had not been reviewing OIG reports to determine whether\n                      there were "lessons learned" which could be applicable to\n                      their own organizations.\n\n                                              Corrective Action Plans\n\n                           In some cases, corrective action plans developed by\n                           Headquarters program offices andor NNSA had not been\n                           communicated to applicable sites for implementation.\n                           Department policy requires that a corrective action plan be\n                           developed by the primary organization within the\n                           Department to address each open recommendation.\n                           Communication between Headquarters organizations and\n                           their applicable sites regarding implementation of\n                           developed corrective action plans is a vital part of the audit\n                           resolution and follow-up process. However, we identified\n                           some instances where this communication did not occur.\n\n                           For example, the January 2003 OIG report on badging and\n                           security clearances included recommendations addressed to\n                           NNSA Headquarters. However, NNSA Headquarters\n                           officials stated that they did not have a formal corrective\n                           action plan other than the actions in DARTS. We\n                           contacted an official from Los Alamos, one of the sites\n                           included in our original report, to deternine whether that\n                           site had developed a formal corrective action plan to\n                           address the open recommendations. The Los Alamos\n\nPage 7                                                             Details of Finding\n\x0c         official stated that NNSA Headquarters would have the\n         responsibility for developing a corrective action plan for\n         the Los Alamos site since the recommendations were\n         addressed to Headquarters. At the time of our review,\n         NNSA Headquarters had not transmitted a corrective action\n         plan to Los Alamos and that site had not developed their\n         own corrective action plan to address the issues identified\n         in 2003. In this case, the problems related to badging and\n         clearances were still occurring at Los Alamos in February\n         2005, as demonstrated by the previously identified\n         inspection report on this subject.\n\n         For the same 2003 OIG audit report on badging and\n         clearances, the Office of Environmental Management (EM)\n         also never provided the necessary guidance to the ETTP\n         site. In a response to the original draft report, the Assistant\n         Secretary for EM stated that a letter of guidance for ETTP\n         would be prepared concerning the major issues covered in\n         our report. This was to be followed, in early 2003, with the\n         implementation of corrective actions and validation reviews\n         conducted every three months to ensure acceptable\n         implementation. However, due to the Office of Science\'s\n         landlord responsibilities over the entire Oak Ridge\n         Reservation, which includes ETTP, there was conhsion\n         over which program office ultimately needed to direct\n         ETTP on corrective actions. Our review revealed that\n         neither program office provided ETTP with a letter of\n         guidance nor were validation reviews ever performed. In\n         fact, the corrective actions that were to be implemented at\n         ETTP were never included in the DARTS tracking system.\n         Both our current review, and a self assessment conducted\n         by ETTP in June 2006, indicated that problems still\n         remained in this area, even though the recommendations\n         from our original report were closed over two years ago.\n\n                        Effectiveness of Actions Taken\n\n         While we found written assurances from each of the\n         program offices andlor NNSA certifying the effectiveness\n         of the corrective actions taken, none of the Department\n         offices had performed formal audit follow-up assessments\n         or reviews as required by Departmental Order. These\n         reviews were designed to verify that actions had actually\n         been taken or that weaknesses reported in OIG audits had\n         been corrected. According to the Order, only after these\n\n\n\n\nPage 8                                            Details of Finding\n\x0c                                 assessments or reviews are completed should the\n                                 recommendatioi~sbe certified for closure by the head of the\n                                 program office or NNSA.\n\n                                 Officials from the Office of Science (Science) told us that\n                                 instead of formally verifying the implementation of\n                                 corrective actions, they hold site managers accountable for\n                                 audit resolution by including it in their performance\n                                 appraisals. However, the officials were unable to provide\n                                 us with sufficient documentation that audit resolution and\n                                 follow-up was actually included in site managers\'\n                                 performance appraisals and, as evidenced by our recent\n                                 findings, this approach has not been completely effective.\n                                 In addition, NNSA and EM officials told us that formal\n                                 audit follow-up assessments or reviews had not been\n                                 performed.\n\n                                        Applicability of Findings and Recommendations\n\n                                 Departmental organizations not included in OIG audits did\n                                 not always review published reports for potential "lessons\n                                 learned." In response to a recommendation from our 2004\n                                 report on audit resolution and follow-up, the relevant\n                                 Department Order was revised to require each primary\n                                 Departmental organization to review audit report findings\n                                 and recommendations assigned to other organizations for\n                                 applicability and to determine whether actions needed to be\n                                 taken to resolve the issues identified.\n\n                                 We found, however, that the requirement to perform such\n                                 reviews had not been implemented at the Departmental\n                                 organizations we reviewed. For example, our 2003 report\n                                 on personnel clearances and badge access controls was\n                                 conducted at three NNSA sites - Sandia, Los Alamos, and\n                                 Y-12. The recommendations in that report were directed to\n                                 the Associate Administrator for Facilities and Operations\n                                 within NNSA. Since NNSA concurred with the\n                                 recommendations and planned to take corrective actions to\n                                 address the conditions cited, all NNSA facilities should\n                                 have examined their badging programs for problems;\n                                 however, that was not done. The absence of a process to\n                                 review audits for applicability at other sites may have also\n                                 contributed to the issues identified in a recent inspection\n                                 report2 on Lawrence Livermore National Laboratory\n\n\n Security Clearance Terminations and Badge Retrieval at the Lawrence Livermore National Laboratory\n(DOEITG-07 16, January 2006)\n\nPage 9                                                                       Details of Finding\n\x0c                (Livermore). Similar to the 2003 report mentioned above,\n                the inspection determined that Livermore had not retrieved\n                security badges at the time of employees\' departure and had\n                not terminated security clearances of departing employees\n                in a timely manner.\n\n                In contrast, we found that the Strategic Petroleum Reserve\n                (SPR) had a process where they review all OIG reports to\n                determine whether issues identified may be applicable to\n                the SPR. In April 2004, SPR analyzed our 2004 report on\n                audit resolution and determined that it had local\n                implications. Specifically, there had been a few instances\n                at SPR where audit findings were not resolved in a timely\n                manner. The contractor\'s management responded by\n                tracking the status of open recommendations each quarter\n                and stressing timely close-out in discussions with impacted\n                personnel. SPR\'s review of our report ultimately\n                strengthened their process of tracking open\n                recommendations.\n\nImprovement     Without effectively implementing existing audit resolution\nOpportunities   requirements, the Department has not taken full advantage\n                of opportuilities to improve program perfoimance,\n                accountability, and achieve cost savings. This is especially\n                critical in key areas such as those listed annually in our\n                report on Management Challenges at the Department of\n                Energy. As noted above, we identified audit follow-up\n                deficiencies on reports related to national security and\n                project management, both of which have been included as\n                significant management challenges since November 2000.\n\n                The importance of the Department\'s operations and the\n                continuous and changing nature of threats, make national\n                security a challenge that requires management\'s continued\n                vigilance and emphasis. Once identified, it is imperative\n                that security weaknesses are corrected immediately to\n                protect the Department\'s facilities and classified\n                information. In this case, failure to implement effective\n                corrective actions in response to our audit reports on\n                personnel security clearances and badging, and foreign\n                visits and assignments increased the risk that security could\n                be breached at Departmental sites.\n\n                In this report, we cite three examples of audit reports that\n                questioned the Department\'s management of specific\n                projects (Corporate Human Resource Information System,\n                Nuclear Materials Accounting System Modernization\n\nPage 10                                                Details of Finding\n\x0c                  Initiative, and Depleted Uranium Hexafluoride\n                  Conversion). These were all multi-million dollar projects,\n                  each of which included practices that linlited management\'s\n                  ability to closely monitor project costs, schedules, and\n                  performance. These issues should have been corrected in\n                  response to the recommendations included in our audit\n                  reports. Unfortunately, subsequent reviews indicated that\n                  the problems originally reported were never completely\n                  resolved and continued to impact the Department\'s ability\n                  to successfully complete these projects. An effective audit\n                  resolution and follow-up program should have noted these\n                  examples and not permitted closure of the\n                  recommendations until action was completed.\n\n\nRECOMMENDATIONS   We recommend that either Program Secretarial Officers,\n                  in coordination with the Chief Financial Officer or the\n                  Administrator, NNSA, as appropriate, reinforce existing\n                  requirements by:\n\n                      1. Ensuring that fonnal corrective action plans are\n                         communicated to all applicable sites for\n                         implementation;\n\n                     2. Developing formal audit follow-up assessment\n                        review orocedures as required by Departmental\n                        Order, to verify and document that actions taken\n                        have corrected the issues identified through audits\n                        prior to the submission of the assurance\n                        certification;\n\n                     3. Ensuring that appropriate officials are held\n                        accountable for carrying out formal assessments and\n                        reviews; and,\n\n                     4. Reviewing all 01G findings and recornlendations\n                        to determine the applicability of the issues\n                        identified and whether actions need to be taken at\n                        sites/programs other than those specifically\n                        mentioned in the audit.\n\n\nMANAGEMENT        The Department and the NNSA provided consolidated\nREACTION          conments to the draft report and concurred with the\n                  reconmendations. The Department agreed to issue\n                  guidance to program offices reemphasizing the\n                  requirements of the audit resolution and follow-up\n\nPage 11                              Recommendations and Comments\n\x0c           program. This guidance, according to the Department, will\n           focus on the efficient and effective resolution of audit\n           findings and recommendations; the assignment of\n           accountability to senior program element managers for the\n           management of their respective audit resolution processes;\n           and senior management requirements for providing\n           corporate oversight, review, and resolution of audit issues.\n           In addition, the Department indicated that it will perform\n           periodic follow-up activities to help ensure effective\n           implementation of the guidance. Also, NNSA has agreed\n           to formalize its certification methodologies for use by the\n           site managers, the Service Center Director, and senior\n           program officials in its organization.\n\n           Even though NNSA concurred, it noted that it did not\n           believe that additional action was required for\n           Recommendations 1 and 4 because its current audit\n           resolution process was sufficient to address those\n           recommendations. Specifically, in response to\n           Recommendation 1, NNSA indicated that corrective action\n           plans are already distributed to all appropriate elements\n           within NNSA. These plans are provided through the\n           formal Management Decision process andlor through\n           DARTS. Furthermore, in response to Recommendation 4,\n           NNSA added that it had an established process to allow all\n           elements to review all issues raised in audit reports for\n           applicability.\n\n           Separate technical comments were also provided by NNSA,\n           the Offices of Health, Safety and Security, EM, and\n           Science.\n\n\nAUDITOR    Comments from the Department and NNSA acknowledge\nCOMMENTS   that improvements are needed in the audit resolution and\n           follow-up process area. Management\'s planned actions,\n           where provided, were responsive to the report\'s\n           recommendations.\n\n           We do not, however, agree with NNSA\'s assertion that two\n           of the recommendations have already been addressed as\n           they apply to NNSA. NNSA stated that under its current\n           audit resolution process, corrective action plans are\n           provided to all appropriate elements under NNSA. As we\n           noted in our report, however, such was not always the case.\n           Specifically, we noted that NNSA\'s resolution of our\n           January 2003 OIG report (DOE/IG-0582) on badging and\n\nPage 12                                                  Comments\n\x0c          security clearances did not ensure that a corrective action\n          plan was coinmunicated to Los Alamos, one of the sites\n          included in the report, for implementation. As a result,\n          these issues were still occurring at Los Alamos in February\n          2005, as demonstrated by an OIG inspection report. As\n          part of the management decision process, we hope to\n          review NNSA\'s documented procedures for the creation\n          and distribution of corrective action plans to each of the\n          organizations under its control.\n\n          Finally, NNSA stated that it has an established process in\n          place to allow all elements to review for applicability to\n          their specific sites or programs those issues that are being\n          raised in audit reports. However, according to a\n          management official, NNSA\'s current process excludes\n          OIG reports that do not include NNSA as part of the audit.\n          We believe this approach could cause NNSA to miss\n          opportunities to review certain report findings and\n          recommendations that may be applicable. It may also be\n          beneficial for NNSA to use an Audit Trends/Crosscutting\n          Issue analysis similar to the one mentioned in\n          management\'s comments as a tool to facilitate NNSA\'s\n          assessments of applicability.\n\n          Management\'s comments have been incorporated into the\n          reno0 ~xrher~,\n                      annlirahl~and inrlild~rlv~rhatimas A??~ndix 4\n                        A   A\n\n\n\n\nPage 13                                                  Comments\n\x0cAppendix I\n\nOBJECTIVE     To evaluate the Department of Energy\'s (Department) progress\n              on correcting prior audit follow-up issues and to determine\n              whether issues identified through recent Office of Inspector\n              General (OIG) audits had been resolved.\n\n\nSCOPE         The audit was performed between February 2006 and May\n              2007. We conducted work at Headquarters and received\n              information fi-om Oak Ridge National Laboratory, Y-12\n              National Security Complex, East Tennessee Technology Park,\n              Savannah River Site, Brookhaven National Laboratory, Los\n              Alamos National Laboratory, and the Strategic Petroleum\n              Reserve Project Management Office.\n\n\nMETHODOLOGY   To accomplish our audit objective, we:\n\n                     Reviewed applicable Departmental orders and policies\n                     and procedures implemented at the Department;\n\n                     Held discussions with Headquarters program and site\n                     officials regarding audit resolution and follow-up\n                     process;\n\n                     Selected and analyzed ail OIG audit reports and\n                     associated recommendations fi-om the first half of 2005\n                     to determine if target closure dates were established and\n                     ensured timely closure of audit recommendations;\n\n                     Reviewed Departmental Audit Report Tracking System\n                     data to determine status of selected OIG audit\n                     recommendations;\n\n                     Reviewed six judgmentally-selected OIG audit reports\n                     dated fi-om February 200 1 to November 2005 with\n                     "closed" recommendations to determine whether\n                     corrective action plans had been developed and\n                     implemented, and whether actions taken actually\n                     corrected the weaknesses;\n\n                     Obtained data files of active badges fi-om site badge\n                     systems and active clearances fi-om the Central\n                     Personnel Clearance Index (CPCI) system at\n                     Headquarters;\n\n\nPage 14                              Objective, Scope, and Methodology\n\x0cAppendix I(continued)\n\n\n                          Used Audit Colnilland Language (ACL), a data-mining\n                          software tool, to compare contractor human resource\n                          listings of e~nployeesto CPCI to determine whether\n                          they still had an active clearance in the CPCI;\n\n                          Held discussions with Headquarters and field site\n                          officials to gain an understanding of roles,\n                          responsibilities, and procedures concerning CPCI and\n                          local site badge systems;\n\n                          Used ACL to compare the Department\'s Foreign Access\n                          Central Tracking System (FACTS) to a site\'s foreign\n                          visits and assignments tracking system; and,\n\n                          Held discussions with Headquarters and field site\n                          officials to gain an understanding of roles,\n                          responsibilities, and procedures concerning FACTS and\n                          the local foreign visits and assignments tracking\n                          systems.\n\n                   The audit was performed in accordance with generally\n                   accepted Govenunent auditing standards for performance\n                   audits and included tests of internal controls and compliance\n                   with laws and regulations to the extent necessary to satisfy the\n                   audit objective. Accordingly, we assessed the significant\n                   internal controls and performance measures established under\n                   the Government Performance and Results Act of 1993.\n                   Specific performance measures concerning the audit resolution\n                   and follow-up process were established in the area of meeting\n                   audit recommendations closure milestone targets. Because our\n                   review was limited, it would not necessarily disclose all\n                   internal control deficiencies that may have existed at the time\n                   of our audit. We obtained and reviewed the computer\n                   processed data made available to us in order to achieve our\n                   audit objective. We validated the reliability of such data, to the\n                   extent necessary to satisfy our audit objective, by tracing it to\n                   source documents or other supporting information.\n\n                   We held an exit conference with management on May 3,2007.\n\n\n\n\nPage 15                                    Objective, Scope, and Methodology\n\x0cAppendix 2\n\n                             AUDIT REPORTS REVIEWED\n\n\nThe following are the six audits selected for review to determine whether corrective action\nplans had been developed and implemented, and whether actions taken actually corrected the\nweaknesses.\n\n       Information Technology Managenlent Letter on the Audit of the Department of\n       Energy\'s Consolidated Financial Statements for Fiscal Year 2005 (OAS-FS-06-02,\n       November 2005). The results of the Fiscal Year 2005 Information Technology\n       control reviews indicated that network and information systems security control\n       weaknesses continue to exist in the Department of Energy\'s (Department) unclassified\n       information systems.\n\n       Depleted Urnniur~zHexafluoride Corzver.siorz (DOEIIG-0642, March 2004). This\n       audit concluded that the Department\'s plan for converting depleted uranium\n       hexafluoride inventories could be improved by adding an additional conversion line\n       to the Portsmouth facility. At the time of the audit, plans called for three conversion\n       lines, which were capable of processing 13,500 metric tons of depleted uranium\n       hexafluoride per year. By adding another conversion line, Portsmouth could have\n       processed 4,500 metric tons of additional material annually and completed the project\n       nearly five years earlier than planned. The facility size was not optimized because\n       the Department\'s acquisition strategy emphasized initial capital costs rather than\n       minimizing life-cycle costs. By increasing the production capacity at Portsmouth, the\n       Departilleilt could have shoitened the duration of the Portsinouth co~lversioilproject\n       by about 5 years and saved about $55 million.\n\n       Personnel Security Clearances and Badge Access Controls at Selected Field\n       Locations (DOEIIG-0582, January 2003). This audit identified that at the Oak Ridge\n       Reservation (Oak Ridge), 26 (8 percent) of our sample of 309 coiltractor and other\n       non-federal workers retained badge authority after they terminated their association\n       with the Department. Additionally, at Savannah River Site, 34 of 177 (19 percent)\n       individuals improperly retained the authority to hold security clearances after they\n       terminated their association with the Department. Similarly, at Sandia National\n       Laboratories, 14 of 108 (13 percent) former workers inappropriately maintained\n       active clearances and, at Oak Ridge, 15 (about 6 percent) individuals improperly held\n       active clearances. Processes in place at the time of the review did not ensure that\n       authorizations were promptly removed f?om systems and could have permitted those\n       who improperly retained a clearance or badge with a window of opportunity to enter\n       or access sites without authority. Recommendations were made to help the\n       Department strengthen controls over badge recovery and clearance termination within\n       the Central Personnel Clearance Index (CPCI).\n\n\n\n\nPage 16                                                            Audit Reports Reviewed\n\x0cAppendix 2 (continued)\n\n\n     The Departnzent\'s Ur7classzJied For-eign Jfisits and Assig~lnzentsProgrum (DOEIIG-\n     0579, December 2002). T h s audit found that the Department had not adequately\n     controlled unclassified visits and assignments by foreign nationals at two national\n     laboratories. Specifically, one Office of Science (Science) laboratory had not\n     required or maintained accurate passport and visa information for 91 of the 187 (49\n     percent) randomly selected visitors or assignees reviewed. Forty-one of the 91 had\n     active badges and could have accessed most of the site\'s facilities. Thrty-four of the\n     91 were fi-om sensitive countries such as the People\'s Republic of China, India, and\n     Russia. Similar problems were noted at the NIVSA-managed laboratory. Passport\n     and visa data were missing or incomplete for 37 of the 188 (20 percent) individuals\n     selected. Twelve of those with incomplete or missing information had an active\n     badge. Of the 37 individuals, 17 were from sensitive countries. In addition, the\n     Science laboratory permitted foreign nationals to access its facilities prior to approval\n     of their visit or assignment. We found that 74 of 187 (40 percent) visitors and\n     assignees from the Science-managed laboratory had been issued badges and allowed\n     site access before their visit or assignment was approved. Finally, neither laboratory\n     provided sufficient information to the Department\'s centralized tracking system\n     (Foreign Access Central Tracking System), which was designated to facilitate\n     complex-wide tracking of the status of foreign nationals. Weaknesses occurred\n     because of the lack of specificity in policy guidance, problems with implementation,\n     and a lack of clear and quantifiable performance measures. Recommendations were\n     made to help the Department strengthen management practices for controlling\n     unclassified visits and assignments by foreign nationals.\n\n     Nuclear Materials Accounting Systems Modernization Initiative (DOELG-0556, June\n     2002). This audit found that the Department had not adequately managed its\n     activities to redesign or modernize its nuclear materials accounting systems.\n     Moreover, planned and ongoing system development efforts were not fully consistent\n     with the Corporate Systems Information Architecture.\n\n     Tlze US. Depart~nentofEnel-gy\'s Corporate Human Resource Information System\n     (DOEJIG-0494, February 2001). This audit found that the U.S. Department of\n     Energy\'s Corporate Human Resource Information System (CHRIS) had not satisfied\n     all Federal and Departmental requirements and had not met certain Departmental\n     goals and objectives. For example, (1) several system development activities were\n     inadequate or had not been completed; (2) Departmental initiatives to reengineer\n     certain Human Resources processes and eliminate over 50 redundant systems had not\n     been satisfied; and, (3) CHRIS had computer security weaknesses that increased the\n     risk of unauthorized access or malicious damage to the system.\n\n\n\n\nPage 17                                                           Audit Reports Reviewed\n\x0cAppendix 3\n\n                                   PRIOR REPORTS\n\nOffice of Inspector General Reports\n\n      Badge Retrieval and Security Clearance Termination at Sandia National Laboratory-\n      New Mexico (DOEIIG-0724, April 2006). This inspection concluded that Sandia\n      National Laboratory-New Mexico\'s (Sandia) internal controls were not adequate to\n      ensure that, in accordance with applicable policies and procedures, security badges\n      assigned to terminating Sandia and subcontractor employees were retrieved at the\n      time of departure or that security clearances of terminating Sandia and subcontractor\n      employees were terminated in a timely manner.\n\n      Security Clearance Terminations and Badge Retrieval at the Lawrence Livermore\n      National Laboratory (DOEAG-07 16, January 2006). This inspection concluded that\n      Lawrence Livermore National Laboratory\'s internal control structure was not\n      adequate to ensure that security badges were retrieved at the time of employee\n      departure or that security clearances of departing employees were terminated in a\n      timely manner.\n\n      Security and Other Issues Related to Out-Processing of Employees at Los Alamos\n      National Laboratory (DOEIIG-0677, February 2005). This inspection identified that\n      Los Alarnos National Laboratory\'s (Los Alamos) out-processing procedures were not\n      followed by more than 40 percent of the 305 terminating employees included in our\n      sample. Consequently, Property Administrators, Classified Document Custodians,\n      and Badge Office personnel frequently did not receive timely notification that\n      employees were terminating. Given this and the results of additional sampling, we\n      found that there was no assurance that, prior to departure, Los Alamos terminating\n      employees turned in security badges, completed the required Security Termination\n      Statement, or had their security clearances and access authorizations to classified\n      matter andlor special nuclear material terminated in a timely manner.\n\n      Management of the Department\'s Personnel Security and Access Control Information\n      Systems (DOEIIG-065 1 , June 2004). This audit found that the Department of\n      Energy\'s (Department) information systems modernization initiatives would not: (1)\n      significantly improve the ability of its corporate personnel security system to track\n      visitor site access, reconcile with contractor clearance tracking systems, enable field\n      sites to generate customized reports, or increase user system access; (2) eliminate\n      costly development and maintenance of numerous separate, site-level personnel\n      security information systems; and, (3) reduce overlapping or redundant physical\n      access control systems that do not communicate with each other, including those at\n      some facilities located in close proximity to one another. This occurred because the\n      Department had not developed a comprehensive framework for modernizing its\n      personnel security and access control information systems, and did not always follow\n      sound system development practices.\n\n\n\n\nPage 18                                                                       Prior Reports\n\x0c     Tlze Depal-t~~ze~zt\'s\n                        Audit Resolution P~*ocess(DOEIIG-0639, February 2004). Tl-Lis\n     audit observed that: (1 ) target dates for colnpletion of corrective actions had not been\n     established for 44 percent of the 104 recommendations we reviewed; (2) where target\n     dates were established, 57 percent of the corrective actions taken exceeded closure\n     milestones; (3) in several cases, recoinmendations were closed even though corrective\n     actions had not been taken; and, (4) the Department did not take advantage of\n     potential savings of about $26 million due to delays in corrective action\n     implementation.\n\n     Personnel Security Clearances and Badge .4 ccess Contl-01s at Department\n     Headqua]-ters(DOEIIG-0548, March 2002). This audit disclosed that the Department\n     had either not terminated former federal and contractor employees\' clearances or had\n     not recovered their badges. Errors occurred because program offices had not always\n     provided employment termination illformation to Headquarters Security Operations\n     or held contractors accountable for adherence to Departmental policy.\n\n\n\n\nPage 19                                                                       Prior ~ e ~ o r t s\n\x0cAppendix 4\n\n\n\n                                       Department of Energy\n                                National Nuclear Security Administration\n                                        Washington. DC 20585\n\n                                           February 15, 2007\n\n\n\n\n             MEMORANDUM FOR                Rickey R. Hass\n                                           hsistant Inspector General\n\n\n             FROM:\n\n\n\n                                           Associate ~dministrator/      /  *\n\n                                             for Management and Administration\n\n             SUBJECT:                      Comments to Audit Resolution and Follow-up\n                                           Process Draft Report; A06PT0 1 4\n\n\n             The Department of Energy (Department) and the National Nuclear\n             Security Administration (NNSA) appreciate the opportunity to review\n             the Inspector General\'s (IG) draft report, "The Department\'s Audit\n             Resolution and Follow-up Process." We understand that this audit was\n             conducted to evaluate the Department\'s progress on correcting prior\n             audit follow-up issues and to determine whether the Department has\n             taken appropriate actions to resolve issues identified through recent IG\n             audits.\n\n             Although the Department and NNSA concur with the recommendations,\n             NNSA has concerns, as attached, with the report as it is written.\n             Additionally, we are providing technical comments on the report from the\n             following Departmental organizations: Office of Health, Safety and\n             Security; Office of Environmental Management, Office of Science; and\n             Bechtel Jacobs Company LLC-East Tennessee Technology Park.\n\n             Should you have any questions, please contact Richard Speidel or Dean\n             Childs on 202-586-5009 or 301 -9Q3-2560,respectively.\n\n             Attachments\n\n\n\n\nPage 20                                                                    Management Comments\n\x0cAppendix 4 (continued)\n\n\n\n\n                                                                                                     Attachment 1\n\n\n                                                   Comments on\n                                          Inspector General Draft Report\n                              "The Department\'s Audit Resolution and Follow-up Process"\n\n\n          We suggest that the introduction to the recommendations be restated as follows:\n\n          We recommend that either the Program Secretarial Officers, in coordination with the Chief\n          Financial Officer or the Administrator, NNSA, as appropriate, reinforce existing requirements by:\n\n              1. Recommendation\n\n                 Ensuring that formal corrective action plans are communicated to all applicable sites for\n                 implementation;\n\n\n\n                 Concur\n\n                 The Department will issue guidance to reemphasize the requirements of the audit resolution and\n                 follow-up program. This guidance will focus on the efficient and effective resolution of audit\n                 findings and recommendations; the assignment of accountability to senior program element\n                 managers for the management of their respective audit resolution processes; and senior manager\n                 requirements for providing corporate oversight, review and resolution of audit issues.\n                 Additionally, the Office of the Chief Financial Officer will be issuing a revised Audit\n                 Coordinator\'s Handbook which identifies the roles and responsibilities of the Program Secretarial\n                 Offices\' (PSO) designated audit coordinators in supporting this objective. This action is\n                 scheduled for closure by December 2007.\n\n                 For NNSA, corrective action plans are provided to all appropriate elements within NNSA as part\n                 o i its current audit resolution process. These plans are provided through the formal Management\n                 Decision process andlor through the Departmental Audit Report Tracking System. Therefore,\n                 t h s recommendation is considered to be closed as it applies to NNSA.\n\n            2.   Recommendation\n\n                 Developing formal audit follow-up assessment review procedures as required by Departmental\n                 Order, to verify and document actions taken have corrected issues identified through audits prior\n                 to the submission of the assurance certification;\n\n\n\n\nPage 21                                                                                     Management Comments\n\x0cAppendix 4 (continued)\n\n\n\n\n               Management Comment\n\n               Concur.\n\n               The Department will issue guidance to reemphasize the requirements of the audit resolution and\n               follow-up program. This guidance will provide specific clarification of requirements for PSOs to\n               maintain operating procedures and systems for audit resolution and follow-up, and ensure\n               corrective actions have been implemented to effectively address audit report recommendations\n               prior to submission of assurance certificates. The Office of the Chief Financial Officer will\n               conduct periodic validations to ensure that these procedures are in place. This action is scheduled\n               for closure by December 2007.\n\n               NNSA currently has a variety of methods to accomplish the intent of this recommendation.\n               However, these methodologies will be formalized and provided to the site managers, Service\n               Center Director and senior program officials for their appropriate use. Some of the various\n               methods for assessment currently utilized include:\n\n                       Verification of corrective action by the Contractors\' internal auditors as part of the\n                       Cooperative Audit Strategy, with certification submitted to the appropriate Federal\n                       manager;\n                       Incorporation of audit follow-up into annual topical surveys, such as the annual site\n                       specific security survey;\n                       Verifications conducted by the Financial Internal Controls element as part of A-123\n                       process repodng;\n                       Inclusion into the Contractor Assurance System [this is an item that is important since\n                       NNSA is moving into a risk management/contractor assurance system as opposed to a\n                       compliance system of controls];\n                       Verifications conducted by NNSA\'s Internal Affairs element; andlor\n                       Inclusion into Program Reviews until open findings are completed/corrected.\n\n               NNSA has also implemented a review and approval step at Headquarters for those reports that are\n               managed by the various programmaticladministrative elements. The senior fimctionalAine\n               manager (Associate Administrator for Defense Nuclear Security or the Deputy Administrator for\n               Defense Programs, for example) will conduct an appropriate review and will concur with the\n               certification package prior to submission to the Director, Policy and Internal Controls\n               Management for final review. The Director makes the final recommendation for Certification of\n               Completeness to the Associate Administrator for Management and Adrmnistration. NNSA\'s\n               formalization of certification will be completed by the end of September 2007.\n\n\n          3.   Recommendation\n\n               Ensuring that appropriate officials are held accountable for carrying out formal assessments and\n               reviews; and,\n\n\n\n\nPage 22                                                                               Management Comments\n\x0cAppendix 4 (continued)\n\n\n\n\n               Management Comment\n\n               Concur\n\n               Current Departmental guidelines define clear lines of accountability for audit resolution activities,\n               including assessments and reviews. The Department will issue guidance to reemphasize the\n               requirements of the audit resolution and follow-up program, including the conduct of audit\n               follow-up assessments or reviews on the implementation of corrective actions to address all audit\n               report recommendations prior to providing an Assurance of Effectiveness of Corrective Actions\n               Taken. Periodic validations of PSO procedures to accomplish these assessments will help\n               enhance that accountability. This action is scheduled for closure by December 2007.\n\n               NNSA also has formal lines of accountability incorporated into its methodology of\n               operations. Managers are accountable and are held accountable by the Administrator as\n               appropriate. For audit resolution, the lines of accountability run from the contractor to\n               the site office or from the Headquarters program element prior to final certification by the\n               Associate Administrator for Management and Administration. This recommendation is\n               considered closed as it applies to NNSA.\n\n          4.   Recommendation\n\n               Reviewing all OIG findings and recommendations to determine the applicability of the issues\n               identified and whether actions need to be taken to resolve identified issues.\n\n               Management Comment\n\n               Concur.\n\n               The Department will issue guidance to reemphasize primary responsibilities of the head of each\n               Departmental organization to review all audit report fmdings and recommendations assigned to\n               oiher organizations to determine whether they may be applicable withln their own organizations.\n               To help facilitate the programs\' assessments of applicability, the Office of the Chief Financial\n               Officer recently implemented an Audit Trends/Crosscutting Issues Analysis, which identifies\n               significant audit issues that may impact multiple programs and sites. Departmental actions are\n               scheduled for closure by December 2007.\n\n               NNSA has an established process to allow all elements to review for applicability to their\n               specific sites or programs those issues that are being raised in audit reports. This process\n               includes the following steps:\n\n                   All draft reports, regardless of topical area audited or site visited, are provided to the\n                   NNSA complex. This communications process includes senior NNSA managers\n                   (Administrator, Deputy and Associate Administrators, Service Center Director, and\n                   appropriate site managers), senior program managers, the Federal internal controls\n                   community, and internal auditors.\n                   All final reports are provided to the entire NNSA complex as described above.\n                   The NNSA internal controls community is informed, on a weekly basis during a\n                   conference call, of draft andlor final reports that have been issued.\n\n               Therefore, this recommendation is considered to be closed as it applies to NNSA\n\n\n\n\nPage 23                                                                           Management Comments\n\x0c                                                                IG Report No. DOEIIG-0766\n\n                         CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions \'if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this report?\n\n3. \'Nhat additioiial information related to findings and recomnlendatio~lscould have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of lnspector General have taken on the\n    issues discussed in this report which would have been helpful?\n\n                                                                                t x :hs;:d\n5. Please include your name and telephone number so that we m a y r n r t ~ c ;,n\n   h.2 l l a ally\n             ~ ~ questions about your comments.\n\n\nNain e                                           Date\n\nTelephone                                        Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n\n                             Office of Inspector General (IG- I )\n                                   Department of Energy\n                                  Washington, DC 20585\n\n                                ATTN: Customer Relations\n\n\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Judy Garland-Smith (202) 586-7828.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\n and cost effective as possible. Therefore, this report will be available electronically through the\n                                 Internet at the folloxing address:\n\n               U.S. Department of Energy Office of Inspector General Home Page\n                                    hg~://www.i~.ener~v.oov\n\n  Your conments would be appreciated and can be provided on the Customer Response Form.\n\x0c'